Solving the Robocall Problem
Unwanted robocalls is the number one complaint from consumers about communication services. In the US alone, the FCC and FTC received approximately 6 million complaints in 2018 and, more disturbingly, Americans reported $1.48 billion in 2018 lost to fraud from calls.
These consumers – your subscribers – are increasingly frustrated and are at risk of being taken advantage of by fraudsters. The knock-on effect is that consumers are less likely to pick up the phone and more likely to cut the cord.
An effective robocall solution consists of two key elements – Real-Time Analytics and STIR / SHAKEN.
What are Real-Time Analytics?
A key part of the problem is that bad callers are continually changing their calling behavior, such as the numbers they call from and who they are calling. Real-Time Analytics (aka Reputation Database or Call Validation Treatment, CVT) is a highly dynamic data engine that crunches data from many inputs, such as live calling behavior, crowd-sourcing and STIR / SHAKEN inputs. The data engine produces reputation scores for individual calling numbers. These scores are constantly changing based upon the behavior of a bad caller, and a score can go from good to bad in a matter of seconds.
How does a Service Provider make use of Real-Time Analytics?
When a terminating call arrives in the Service Provider’s network and before the destination telephone rings, the network voice core queries the Real-Time Analytics engine for the reputation score of the calling number at that point in time. What happens next depends upon the reputation score.
- If the score is good, the call is sent through untouched to the endpoint and the telephone rings.
- If the score is bad, then the call is handled depending upon how bad the call is. For example, the network could block the call with an announcement, send it to voicemail or add a warning to the caller ID (such as ‘SPAM?’), so the person receiving the call knows to approach with care.
Obviously it is critical to a reliable service that the Real-Time Analytics are constantly updated, accurate , and based on as comprehensive a data set as possible. That will be driven by the volume and breadth of incoming data and quality of the algorithms in the data engine. It is of course critical that good calls get through, but just like email spam filters, some false positives should be expected. That is why it is important to use a carrier grade solution using a Real-Time Analytics engine with a very low error rate. The solution should also include mechanisms for quickly fixing errors, such the ability for carriers to add numbers to a safelist, and for subscribers to report problems themselves.
STIR / SHAKEN
Caller ID spoofing
Caller ID spoofing is the act of maliciously faking the caller ID on a phone call and has become an increasingly common technique used by robocallers. With the rise in VOIP technologies spoofing has become incredibly easy. Once the caller ID is spoofed to look like something familiar, then consumers are more likely to pick up the telephone call. For example, a robocaller may make the call appear to come from a trusted major institution like a national bank, or from a local number (‘neighbor spoofing’).
Note that spoofing is illegal and is different from changing the caller ID for legitimate reasons, for example if a call center is making a call on behalf of a business and is presenting the caller ID of the business.
A key element of combating the robocall problem is protection from caller ID spoofing, and STIR / SHAKEN is the set of standards that does exactly that. It does this by securely authenticating the caller ID at the origination point of the call, then securely validating this caller ID at the termination point. This technology, combined with Real-Time Analytics, enables subscribers to make an informed decision about whether to pick up the phone.
How does STIR / SHAKEN work?
STIR / SHAKEN works by using well-established Public Key Infrastructure (PKI) technology, applied to the telephone network, to sign and verify the caller ID of a telephone call.
At the originating end of a call (steps (1) and (2)), the Telephone Service Provider uses the Authentication Service, referred to as the STI-AS in the standards, to add a digital signature. The signature attests that the Service Provider owns the signaled caller ID and the call is from the subscriber who has been assigned that number. The Authentication Service places the digital signature in a new SIP Identity header that flows to the terminating network (step (3)). The signature is generated using secure cryptographic techniques that are already widely used on the internet today, such as for encrypting credit card transactions.
At the terminating end of the call (steps (4) to (6)), the Telephone Service Provider uses the Verification Service (STI-VS) to verify the signature and ultimately to determine whether the signaled caller ID is genuine and not spoofed.
The terminating network may do various things with the results of SHAKEN verification. The most common uses are to feed into the Real-Time Analytics and to help with traceback of bad calls.
Why are Real-Time Analytics and STIR / SHAKEN both critical elements to a solution?
STIR / SHAKEN protects the network from caller ID spoofing, but does not tell you whether a call is good or bad. It is the job of Real-Time Analytics to tell you whether the call is good or bad. But STIR / SHAKEN is important because it significantly improves the quality of the Real-Time Analytics. Take the following example to show this in action.
Suppose an enterprise customer, Bob’s Garage, uses 444-333-2222 as the number they call from (their enterprise pilot line). Now imagine there is a fraudster who is spoofing Bob’s number.
Using STIR / SHAKEN, Bob’s calls are signed with a digital signature and the fraudster’s calls are not. Without the STIR / SHAKEN signature it is hard for Real-Time Analytics to tell the difference between Bob’s genuine calls and the fraudster’s calls. With the signature, Real-Time Analytics can easily tell the difference and distinguish from Bob’s calls (allowing them through) and the fraudster’s calls (blocking them).
STIR / SHAKEN Governance Model
A critical part of STIR / SHAKEN being a secure, trusted mechanism that operates in real networks is the Governance Model. To roll out a Public Key Infrastructure (PKI) across the telephone network requires a clear definition of who can apply for certificates, a secure mechanism for obtaining and managing certificates and a process to root out any bad behavior and take prompt appropriate action.
The Governance Model makes this happen using three separate organizations.
- STI-GA: Governance Authority. Oversees the whole deployment of STIR / SHAKEN, including appointing the STI-PA.
- STI-PA: Policy Administrator. Oversees the administration of certificate policies, i.e. the list of approved CAs, and who can apply for a certificate.
- STI-CA: Certificate Authority. Issues trusted certificates to qualifying organizations.
If a carrier wants to obtain SHAKEN certificates, they apply to the STI-PA for a token, which the carrier can use to obtain certificates from the STI-CA of choice.
The initial set of qualifying criteria for applying for SHAKEN certificates are as follows.
- Have a current form 499A on file with the FCC
- Have been assigned an Operating Company Number (OCN)
- Have direct access to telephone numbers from the North American Number Plan Administrator (NANPA) and National Pooling Administrator (NPA)
In Canada, the STI-GA is the CSTGA and the PA has not yet been appointed.
You can learn about our Robocall blocking solutions here.